Run Nessus on Mac OS X as a Non-Privileged User

Limitations

For use with Nessus 6.7 or later.

When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.

nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.

On the Mac, in System Preferences -> Users & Groups, create a new Group..

Next, in System Preferences -> Users & Groups, create the new Standard User. This user will be configured to run as the Nessus non-privileged account.

Add the new user to the group you created in Step 1.

Remove 'world' permissions on Nessus binaries in the /sbin directory.

sudo chmod 750 /Library/Nessus/run/sbin/*

Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you created in Step 2.

sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run

Give that user read/write permissions to the /dev/bpf* devices. A simple way to do this is to install Wireshark, which creates a group called "access_bpf", as well as a corresponding launch daemon to set appropriate permissions on /dev/bpf* at startup. In this case, you can simply assign the "nonpriv" user to be in the "access_bpf" group. Otherwise, you will need to create a launch daemon giving the "nonpriv" user, or a group that it is a part of, read/write permissions to all /dev/bpf*.

For Step 8. changes to take effect, reboot your system.

Using a text editor, modify the Nessus /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist file and add the following lines. Do not modify any of the existing lines.